Here is how organizations can implement the newly updated, principles-based internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which was released May 14 (visit ic.coso.org). The original 1992 framework has been sharpened and refreshed to reflect the current business environment.
Create a team and a plan. In many cases, the CFO
will oversee implementation of the COSO framework in conjunction with
the chief compliance officer and chief risk officer. Internal auditors
can play a valuable support and evaluation role but will need to
preserve their ability to be objective for future audits. The CEO,
audit committee, and board of directors will need to be kept informed
on objectives and progress. What are the time commitments required of
parties involved, including external auditors? You need to have a plan.
Use a building-block approach. Use the five
components of the framework (control environment, risk assessment,
control activities, information and communication, and monitoring
activities) to break the project into workable pieces. Then focus on
making sure the principles in each component are all operating
together as they should. As in the past, this requires a significant
amount of judgment.
Build
off what you’re currently doing. Companies that are
well controlled can build on their internal control system already in
place. Some may need to refocus or refine control processes or just
update their documentation. Seventeen principles are specified across
the five components of internal control in the updated framework and
will guide you. Mapping the principles to your controls may be a
helpful exercise.
Pay attention to the points of focus. Each of the
17 principles is accompanied by points of focus to consider. Although
some may not apply in all circumstances, they provide excellent
insight as a guide to implementation and evaluation.
Use the Illustrative Tools and Internal Control
Over External Financial Reporting: A Compendium of Approaches and
Examples documents that accompany the framework.
The examples in the Compendium should give great ideas in
applying the framework to a specific situation. The Illustrative
Tools document contains templates for evaluating and documenting
effectiveness of internal control.
Focus on the role of IT. Changes in technology
were a driving force in the decision to update the framework. Consider
how IT is being used, focus on recent developments such as cloud
computing and social media, and take into account the implications
technology has for internal control.
Look for added value. Don’t just approach
implementation as a necessity for compliance. Use this as an
opportunity to find ways to improve effectiveness and increase the
efficiency of your control system. Set goals for what you want to
achieve in implementing the framework beyond just compliance.
Make the switch. COSO is not a standard setter and
does not have power to require an organization to switch from the 1992
framework to the updated version. But after the transition period ends
on Dec. 15, 2014, COSO will consider the 1992 framework to be
superseded. Public companies will have difficulty explaining why they
are referencing the prior version once the transition period ends.
Meanwhile, during the transition period, make sure you indicate which
version of the framework you are referencing.
Editor’s note: COSO is a joint initiative of five private-sector organizations, including the AICPA, which provides thought leadership on enterprise risk management, internal control, and fraud deterrence.
—By Doug Prawitt, CPA, Ph.D. (
prawitt@byu.edu
), a Brigham Young University accountancy professor and COSO board
member, and Ken Tysiac (
ktysiac@aicpa.org
), a JofA senior editor.
